CVE-2018-17187

Name of the Vulnerable Software and Affected Versions Apache Qpid Proton-J versions 0.3 through 0.29.0

Description The issue is related to the TLS wrapper layer in the Apache Qpid Proton-J transport, which did not properly verify peer certificates, making clients vulnerable to Man In The Middle (MITM) attacks. The problem occurred because the hostname verification mode was not implemented in versions 0.3 to 0.29.0, leaving only the option to verify if the certificate is trusted. This vulnerability can be exploited by a remote attacker to perform a MITM attack.

Recommendations For Apache Qpid Proton-J versions 0.3 through 0.29.0, upgrade to version 0.30.0 or later and use the VerifyMode#VERIFY PEER NAME configuration to enable hostname verification. As a temporary workaround, consider disabling the use of the transport TLS wrapper layer until a patch is available. Restrict access to the vulnerable TLS wrapper layer to minimize the risk of exploitation.